In a series of lively discussion panels on December 6 in Dallas, healthcare IT and healthcare IT security leaders looked at some of the core challenges facing the leaders of U.S. patient care organizations, at a time of accelerating IT security threats across the healthcare system.
All those leaders were participants in discussions at the Dallas CHIME LEAD Forum, being held at the Joule Hotel in downtown Dallas, and cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) at Healthcare Informatics. The daylong event was focused on cybersecurity, and included several important panels whose discussants included CIOs, CISOs (chief information security officers), and others. All of the day’s panels were moderated by Adrienne Edens, CHIME’s vice president of education.
In the first panel, “Essential Factors for Cybersecurity Preparedness,” Edens led a discussion among John Delano, CISO at Cook Children’s Health System (Ft. Worth); Major Chani Cordero, CIO of the Medical Education Training Campus of the Defense Health Agency (headquartered at Joint Base San Antonio), and Dave Kythe, vice president of security services and strategy at the Carpinteria, Calif.-based Redspin, an Auxilio Company.
First things first, Delano emphasized, near the start of that discussion. “When you’re building a house, you need a structural framework; you can’t just start nailing boards together.” The same is true with regard to healthcare IT security planning, he said. “So you need a security framework to start with. Then you have to prioritize your risk, from the most critical risks, and on. It’s important to create an incident response plan,” he added. “It’s been said that there are two types of networks—one, you have a breach and know it, and the other, you don’t. So develop an incident response plan. Develop security awareness training materials. We do weekly and monthly security tips for our end-users. We train our employees on phishing attempts. You should also invest in cyber insurance,” he urged.
“I saw some numbers recently,” Delano continued. “The average cost of a breach is $7 million to the average organization. So cyber insurance is really a drop in the bucket. And we had a breach where about 3,000 records were compromised. We were able to tap into some resources from the cyber insurance we had bought, and, based on our investigation, we were able to determine that only 11 of those 3,000 records actually had been compromised.” That, he said, demonstrated the value both of cyber insurance, and of strong analytics and processes to investigate potential breaches and other incidents.
Maj. Cordero noted the size and breadth of scope of the operations at the Defense Health Agency’s Medical Education Training Campus. “We’re the DoD’s [Department of Defense’s] largest integrated training campus,” she noted. “We have about 8,000 students and 2,000 staff members at any given time. What we focus on for the most part is defense in depth. One thing that we probably do a bit differently from you is that we’re really big on policy. We have the ability to cut things off—if we have to remove a system or application, we can do it if necessary. Our job is to support providers in patient care, and we do our best to mitigate any risk. I’m pretty sure the bulk of what we do is also what you do.”
Among the advantages that she and her colleagues have at the Defense Health Agency, Cordero said, is that, “For you to have a network account within the DoD, you have to acquire at least a baseline security certification, to add a computer to the domain or do any administrative tasks. As you go up the line as an information security manager or officer, you have to have your CSSP [Certified SonicWall Security Professional certification], or one of two other certifications. Your information assurance manager is not going to be your network chief; your inspection auditor won’t be a facility person. We try to keep those things separate. And Lord forbid you work on Windows XP or anything—we separate all of those consumer-level applications and systems” from the DoD’s networks. “Also, the medical network is typically separate for the Army from the network that the rest of the DoD is on. We do that not only because of traffic, such as PACS [picture archiving and communications systems], because images are very big items, but also because devices on our medical network could be very vulnerable, and we don’t want them to be on an arms system together.” Most importantly, Cordero said, “What we really focus on is known attacks and vulnerabilities. A lot of the attacks today are known to us; they’re just variants on what’s out there. So we focus on what we know right now.”
Kythe noted that “One of the things I’ve seen in larger corporations, especially in global companies, but which we can also do in the U.S., is to spread out responsibilities across time zones.” In U.S. healthcare, that could occur within a national integrated health system, which in some cases, he noted, could relieve the burden on any one portion of an IT team to manage a security crisis.
“Unlike the Army, with its 50 hospitals and a whole slew of government folks who could be all hands on deck if something happened,” Cordero said. “If you’re a standalone facility, I would absolutely do what it takes to have someone at the ready. The risk, we know, is there. And if your team is not available to handle the incident, I would look at insurance and at outsourcing capability.”
CHIME’s Edens noted that “One of the things that makes this work is to have a very frank dialogue about this. It helps to be able to talk about what we’re doing about a real breach or problem,” among healthcare IT security professionals from across the U.S. healthcare system. “It is hard to get a non-bedside FTE, yes. And one of the challenges we have is to start to change that dialogue.” She cited an example of when she went to a position as CIO of a hospital system in a relatively rural state, and found that her new organization was not even in compliance with basic IT security and privacy standards required by the HIPAA (Health Insurance Portability and Accountability Act of 1995) law. Needing to catch up to basic standards at that hospital organization, Edens told her audience that “I actually did a study and put together some numbers and scenarios for them. So if you need to bring in a consultant, then go out and do it. And I got a CISO, a new budget set aside, all because I could put my facts together and present it to the board. So outsource resources, or try to get together a community-wide consortium,” she emphasized.
Time to take a risk-portfolio approach to IT security?
The second panel of the day, “Winning Cybersecurity Strategies Focused on Prevention, Detection, Response and Recovery,” opened with a forceful opening statement by Ron Mehring, CISO of the integrated, 24-facility Texas Health Resources health system (based in Arlington). “We’re changing the way we look at cybersecurity and the way we integrate services in the organization. First,” Mehring said, “I want to say that cynicism, negativity, and defeatism seem to be a big part of the cybersecurity world. But the reality is that, as a healthcare system, we are getting better. There are amazing efforts and advances taking place. So it’s not inevitable that you will be breached. And the reason we have been breached that we carry dogma and practices forward from the past, including such elements as complex passwords. You have to get rid of the dogma and say, I’m going to approach this from a healthcare delivery perspective and engineer it that way,” he said. “Cybersecurity success is all about integration and about trade-offs. You’re not going to be able to do everything. The trade-off is a conversation with stakeholders in the organization on what the appropriate steps and resources are.”
Mehring said that what is absolutely essential is to “take a risk-portfolio approach: put good risk and bad risk into the same portfolio. Most organizations are still thinking only about bad risk. But here might be a reason why you might not do something particular. There has to be a realism,” he said; “otherwise, trade-off discussions will become too difficult and too fraught with dogma.” One key element in taking that risk-portfolio approach, he said, is that “The way forward, from my vantage point: it’s about putting high-reliability principles into the program. And everything I learned in aviation in the Marine Corps—it’s all about putting high-reliability principles into operations. And the program has to adopt. And finally, integrated service delivery. The security program must be fully integrated, and becomes a robustness element within your operations.” And that means incorporating threat management, incident management, and vulnerability management elements into an integrated whole, in a data-driven operating environment.
Wayne Keatts, director of enterprise security and architecture at Methodist Health System (Dallas), emphasized that “In order to create a winning strategy, you first have to define your goal for what a winning strategy is. Do you just want to stay out of the news? Simply achieve compliance? Does your organization have a culture where care of the data is as important as caring of the patient? If so, you’ll have the ability to develop a much more successful, more in-depth, program, than one solely focused on compliance.” He cited six key strategies essential to success: keeping the organization’s board informed; understanding one’s organization’s organizational culture; understanding that “an ounce of prevention is worth a pound of cure”; understanding the layers of complexity involved; routinely testing one’s prevention detection response and recovery capabilities; and training one’s team and one’s organization’s end-users on the security policy. “It is essential to tie your data security strategy to your organization’s business strategy,” he said. “I spend a lot of time in our organization trying to frame our security goals in alignment with patient experience, patient satisfaction, physician satisfaction, major goals of our organization. If you can frame your security strategy as being aligned with the overall business strategy of your organization, that will help a lot. For example, as was mentioned, a benchmark number that has been shared here is that cost of $221 per record breached—I’ve read similar numbers. I know that I don’t ask for $221 per record to defend the records; we can address it for much less than that,” he said.
Looking at cybersecurity from a truly strategic standpoint
Meanwhile, during the third panel of the day, entitled, “Process Makes Perfect: Strategies for Cybersecurity Success,” Will Long, vice president and CISO at Children’s Health System of Texas (Dallas), noted that “You can’t manage vulnerabilities on things you don’t know you own, which is why asset management is so important. And you can’t manage vulnerabilities on things that you don’t know your organization is purchasing. The first thing is that your risk management program has to be is a threat-centric program,” he asserted. “It has to be designed based on threats to your environment. The sheer number of vulnerabilities, and making sure you design a program that is threat-centric is important. Align your projects and priorities to align with your understanding of your vulnerabilities. Vulnerability scanning and tools and services are very important. Patch management is a big part of the risk management program, and goes way beyond servers and PCs to IoT devices, home health devices. The patch management and vulnerability management has to grow exponentially.”
What’s more, Long said, “The news that some people don’t like to hear is that you can’t patch certain things. We have to have integration strategies in our plans to mitigate risks. That might include network segmentation, intrusion detection, and other strategies, for areas where you can’t patch certain things. And you have to inventory things.” He further added what he said was a tip—the fact that the Department of Homeland Security “offers a whole suite of free programs, taxpayer-funded. They have a cyber hygiene program—they’ll scan your Internet presence and send you a weekly report; they’ll scan your security posture, that is free, too. They will also do a two-week engagement where they’ll do an internal and external penetration test program, for free. This was all protected by a presidential order and a PCII, meaning it cannot be disclosed to any other organization.” In any case, it is very important, he said, to “implement a risk assessment and governance program, one that touches on your asset management.”
And Mac McMillan, co-founder and CEO of the Austin-based CyngerisTek consulting firm, advocated for a long-term, strategic perspective on all of this. “I want to talk about the business level of this,” McMillan said. “One of the things we need to understand in any organization is that managing risk is a business process, not just a security process. And the really successful folks understand that, understand the vulnerabilities, and understand how risks impact the organization’s ability to accomplish its core mission.”
Unfortunately, McMillan said, as a healthcare industry, “We got off on the wrong foot early on in terms of data security, and talked way too much about compliance. And the reason we did that is that there wasn’t yet a security culture in healthcare, so we focused on compliance standards. But today, our environment is completely different from how it was 20 years ago, and compliance will not get us there.”
Indeed, McMillan said, “We need understand that we are in a very tech-savvy threat environment. This now involves very sophisticated technical attacks, and using social media and social engineering approaches. And we really have to up our game. We need smarter technology today as well. The antiquated approaches of the past, including rules-based analysis, won’t cut it. We need heuristic-based analysis, role-based analysis, based on how individuals and systems behave. How do we succeed at this? The formula is simple; the doing is difficult: understand security and vulnerability, which means understanding your tradecraft. If you’re a CISO and aren’t up to date on understanding the threats and the technology, then you’re just not doing your job. We all need to study the enemy and understand how they’re coming at us, how they’re going to attack us. And we need to understand what’s important in our business—what’s really important. At any time of any day, something bad is happening, something’s going awry. But not everything affects our business equally.” In short, he summarized, “You have to be focused on impact. It’s not just about PHI or information anymore; it’s about impact analysis. It’s about analyzing impacts. I would submit to you that losing your systems and losing access to your information where it affects your ability to deliver care, is a far bigger threat than someone simply accessing your organization. So we need to understand that. And while that smaller percentage of hacks is representing almost 98 percent of the data that’s being compromised.”